Add a 'verrevpath' option that verifies the interface that a packet

comes in on is the same interface that we would route out of to get to
the packet's source address. Essentially automates an anti-spoofing
check using the information in the routing table.

Experimental. The usage and rule format for the feature may still be
subject to change.

2 files changed, 38 insertions, 0 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 4dfd912..2968109 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -1115,6 +1115,22 @@ Match all TCP or UDP packets sent by or received for a
 A
 .Ar user
 may be matched by name or identification number.
+.It Cm verrevpath
+For incoming packets,
+a routing table lookup is done on the packet's source address.
+If the interface on which the packet entered the system matches the
+outgoing interface for the route,
+the packet matches.
+If the interfaces do not match up,
+the packet does not match.
+All outgoing packets or packets with no incoming interface match.
+.Pp
+The name and functionality of the option is intentionally similar to
+the Cisco IOS command:
+.Pp
+.Dl ip verify unicast reverse-path
+.Pp
+This option can be used to make anti-spoofing rules.
 .El
 .Sh SETS OF RULES
 Each rule belongs to one of 32 different
@@ -1818,6 +1834,18 @@ The
 .Nm ipfw1
 syntax would require a separate rule for each IP in the above
 example.
+.Pp
+The
+.Cm verrevpath
+option could be used to do automated anti-spoofing by adding the
+following to the top of a ruleset:
+.Pp
+.Dl "ipfw add deny ip from any to any not verrevpath in"
+.Pp
+This rule drops all incoming packets that appear to be coming to the
+sytem on the wrong interface. For example, a packet with a source
+address belonging to a host on a protected internal network would be
+dropped if it tried to enter the system from an external interface.
 .Ss DYNAMIC RULES
 In order to protect a site from flood attacks involving fake
 TCP packets, it is safer to use dynamic rules:
diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c
index 6d2857f..edec049 100644
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@@ -224,6 +224,7 @@ enum tokens {
 	TOK_ICMPTYPES,
 	TOK_MAC,
 	TOK_MACTYPE,
+	TOK_VERREVPATH,
 
 	TOK_PLR,
 	TOK_NOERROR,
@@ -333,6 +334,7 @@ struct _s_x rule_options[] = {
 	{ "MAC",		TOK_MAC },
 	{ "mac",		TOK_MAC },
 	{ "mac-type",		TOK_MACTYPE },
+	{ "verrevpath",		TOK_VERREVPATH },
 
 	{ "not",		TOK_NOT },		/* pseudo option */
 	{ "!", /* escape ? */	TOK_NOT },		/* pseudo option */
@@ -1162,6 +1164,10 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth)
 			    }
 				break;
 
+			case O_VERREVPATH:
+				printf(" verrevpath");
+				break;
+			  
 			case O_KEEP_STATE:
 				printf(" keep-state");
 				break;
@@ -3160,6 +3166,10 @@ read_options:
 			ac--; av++;
 			break;
 
+		case TOK_VERREVPATH:
+			fill_cmd(cmd, O_VERREVPATH, 0, 0);
+			break;
+		  
 		default:
 			errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s);
 		}